Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring WPA2-Enterprise SSID

Copy Link
Copy Doc ID c67ff8dd-1365-11ed-9eba-fa163e15d75b:291908
Download PDF

Configuring WPA2-Enterprise SSID

This section provides configuration instructions for deploying WPA2-Enterprise SSID with FortiAP using either FortiOS user groups or a RADIUS server for authentication. Once you configure your authentication method, the remaining steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows the network topology using RADIUS server authentication:

For instructions on how to configure user authentication with locally stored FortiOS user groups, see Basic wireless network example. Note that authentication with local groups only supports PEAP, not EAP-TLS.

To configure WPA2-Enterprise SSID to FortiAP units with RADIUS server authentication - GUI
  1. Create a RADIUS server:
    1. Go to User & Authentication > RADIUS Servers and click Create New.
    2. Enter a Name for the server.
    3. Under Primary Server, enter the IP address or server name.
    4. In the Secret field, enter the secret key used to access the server.
    5. Click Test Connectivity to verify the connection with the RADIUS server.
    6. Click Test User Credentials to verify that the user account can be authenticated with the RADIUS server.
    7. Optionally, enter the information for a secondary or backup RADIUS server.
    8. Click OK.
  2. Create a WPA2-Enterprise SSID:
    1. Go to WiFi and Switch Controller > SSIDs and click Create New > SSID.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
    5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step 1.
    6. Click OK.
To configure WPA2-Enterprise SSID to FortiAP units with user group authentication - GUI
  1. Create a user group:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter a group name.
    3. For Type, select Firewall.
    4. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
    5. Click OK.
  2. Create a WPA2-Enterprise SSID:
    1. Go to WiFi and Switch Controller > SSIDs and click Create New > SSID..
    2. Enter an interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
    5. In the Authentication field, select Local. From the dropdown list, select the user group(s) permitted to use the wireless network.
    6. Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units - GUI

Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:

  1. Select the SSID by editing the FortiAP:
    1. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
    2. Ensure that Managed AP Status is Connected.
    3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
    4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
    5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
    6. Click OK.
  2. Select the SSID by editing the FortiAP profile:
    1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    4. Click OK.
  3. Create the SSID-to-Internet firewall policy:

    1. Go to Policy & Objects > Firewall Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units - CLI
  1. Configure an authentication method (RADIUS server or user group):
  • Create a RADIUS server:

    config user radius

    edit "wifi-radius"

    set server "172.16.200.55"

    set secret fortinet

    next

    end

  • Create a user group:

    config user group

    edit "group-radius"

    set member "wifi-radius"

    next

    end

  • Create a WPA2-Enterprise SSID:
      • Create an SSID with authentication from the RADIUS server:

        config wireless-controller vap

        edit "wifi-vap"

        set ssid "Fortinet-Ent-Radius"

        set security wpa2-only-enterprise

        set auth radius

        set radius-server "wifi-radius"

        next

        end

      • Create an SSID with authentication from the user group:

        config wireless-controller vap

        edit "wifi-vap"

        set ssid "Fortinet-Ent-Radius"

        set security wpa2-only-enterprise

        set auth usergroup

        set usergroup "group-radius"

        next

        end

    1. Configure an IP address and enable DHCP:

      config system interface

      edit "wifi-vap"

      set ip 10.10.80.1 255.255.255.0

      next

      end

      config system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.10.80.1

      set netmask 255.255.255.0

      set interface "wifi-vap"

      config ip-range

      edit 1

      set start-ip 10.10.80.2

      set end-ip 10.10.80.254

      next

      end

      set timezone-option default

      next

      end

    2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

      config wireless-controller wtp

      edit "FP320C3X14000640"

      set admin enable

      set wtp-profile "FAP320C-default"

      next

      end

      config wireless-controller wtp-profile

      edit "FAP320C-default"

      config radio-1

      set vap-all disable

      set vaps "wifi-vap"

      end

      config radio-2

      set vap-all disable

      set vaps "wifi-vap"

      end

      next

      end

    3. Create the SSID-to-Internet firewall policy:

      config firewall policy

      edit 1

      set name "WiFi to Internet"

      set srcintf "wifi-vap"

      set dstintf "wan1"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      set fsso disable

      set nat enable

      next

      end

    4. Configuring WPA2-Enterprise SSID

      This section provides configuration instructions for deploying WPA2-Enterprise SSID with FortiAP using either FortiOS user groups or a RADIUS server for authentication. Once you configure your authentication method, the remaining steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

      The following shows the network topology using RADIUS server authentication:

      For instructions on how to configure user authentication with locally stored FortiOS user groups, see Basic wireless network example. Note that authentication with local groups only supports PEAP, not EAP-TLS.

      To configure WPA2-Enterprise SSID to FortiAP units with RADIUS server authentication - GUI
      1. Create a RADIUS server:
        1. Go to User & Authentication > RADIUS Servers and click Create New.
        2. Enter a Name for the server.
        3. Under Primary Server, enter the IP address or server name.
        4. In the Secret field, enter the secret key used to access the server.
        5. Click Test Connectivity to verify the connection with the RADIUS server.
        6. Click Test User Credentials to verify that the user account can be authenticated with the RADIUS server.
        7. Optionally, enter the information for a secondary or backup RADIUS server.
        8. Click OK.
      2. Create a WPA2-Enterprise SSID:
        1. Go to WiFi and Switch Controller > SSIDs and click Create New > SSID.
        2. Enter the desired interface name. For Traffic mode, select Tunnel.
        3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
        4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
        5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step 1.
        6. Click OK.
      To configure WPA2-Enterprise SSID to FortiAP units with user group authentication - GUI
      1. Create a user group:
        1. Go to User & Authentication > User Groups and click Create New.
        2. Enter a group name.
        3. For Type, select Firewall.
        4. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
        5. Click OK.
      2. Create a WPA2-Enterprise SSID:
        1. Go to WiFi and Switch Controller > SSIDs and click Create New > SSID..
        2. Enter an interface name. For Traffic mode, select Tunnel.
        3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
        4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
        5. In the Authentication field, select Local. From the dropdown list, select the user group(s) permitted to use the wireless network.
        6. Click OK.
      To deploy WPA2-Enterprise SSID to FortiAP units - GUI

      Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:

      1. Select the SSID by editing the FortiAP:
        1. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
        2. Ensure that Managed AP Status is Connected.
        3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
        4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
        5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
        6. Click OK.
      2. Select the SSID by editing the FortiAP profile:
        1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
        2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
        3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
        4. Click OK.
      3. Create the SSID-to-Internet firewall policy:

        1. Go to Policy & Objects > Firewall Policy, then click Create New.
        2. Enter the desired policy name.
        3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
        4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
        5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
        6. Click OK.
      To deploy WPA2-Enterprise SSID to FortiAP units - CLI
      1. Configure an authentication method (RADIUS server or user group):
      • Create a RADIUS server:

        config user radius

        edit "wifi-radius"

        set server "172.16.200.55"

        set secret fortinet

        next

        end

      • Create a user group:

        config user group

        edit "group-radius"

        set member "wifi-radius"

        next

        end

    5. Create a WPA2-Enterprise SSID:
        • Create an SSID with authentication from the RADIUS server:

          config wireless-controller vap

          edit "wifi-vap"

          set ssid "Fortinet-Ent-Radius"

          set security wpa2-only-enterprise

          set auth radius

          set radius-server "wifi-radius"

          next

          end

        • Create an SSID with authentication from the user group:

          config wireless-controller vap

          edit "wifi-vap"

          set ssid "Fortinet-Ent-Radius"

          set security wpa2-only-enterprise

          set auth usergroup

          set usergroup "group-radius"

          next

          end

      1. Configure an IP address and enable DHCP:

        config system interface

        edit "wifi-vap"

        set ip 10.10.80.1 255.255.255.0

        next

        end

        config system dhcp server

        edit 1

        set dns-service default

        set default-gateway 10.10.80.1

        set netmask 255.255.255.0

        set interface "wifi-vap"

        config ip-range

        edit 1

        set start-ip 10.10.80.2

        set end-ip 10.10.80.254

        next

        end

        set timezone-option default

        next

        end

      2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

        config wireless-controller wtp

        edit "FP320C3X14000640"

        set admin enable

        set wtp-profile "FAP320C-default"

        next

        end

        config wireless-controller wtp-profile

        edit "FAP320C-default"

        config radio-1

        set vap-all disable

        set vaps "wifi-vap"

        end

        config radio-2

        set vap-all disable

        set vaps "wifi-vap"

        end

        next

        end

      3. Create the SSID-to-Internet firewall policy:

        config firewall policy

        edit 1

        set name "WiFi to Internet"

        set srcintf "wifi-vap"

        set dstintf "wan1"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set fsso disable

        set nat enable

        next

        end